nanog mailing list archives
Re: Log4j mitigation
From: Owen DeLong via NANOG <nanog () nanog org>
Date: Mon, 13 Dec 2021 11:38:04 -0800
On Dec 11, 2021, at 04:11 , Nick Hilliard <nick () foobar org> wrote: Andy Ringsmuth wrote on 11/12/2021 03:54:The intricacies of Java are over my head, but I’ve been reading about this Log4j issue that sounds pretty bad. What do we know about this? What, if anything, can a network operator do to help mitigate this? Or even an end user?The payload can be contained in https, so there is no way of detecting / stopping this at the network level. Installations need to be upgraded / fixed. https://logging.apache.org/log4j/2.x/security.html 1. upgrade log4j to 2.15.0 and restart all java apps 2. start java with "-D log4j2.formatMsgNoLookups=true" (v2.10+ only) 3. start java with "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" environment variable (v2.10+ only) 4. zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class There's a lot of scanning going on at the moment, so if you have an exposed java instance running something which includes log4j2, you may already be compromised. Nick
Alternatively, this incantation solved the problem on my linux server: rpm -e log4j12 ant-apache-log4j log4j Owen
Current thread:
- Re: Log4j mitigation, (continued)
- Re: Log4j mitigation Joe Greco (Dec 13)
- Re: Log4j mitigation Karl Auer (Dec 13)
- Re: Log4j mitigation bofh139 (Dec 13)
- Re: Log4j mitigation Hank Nussbacher (Dec 13)
- Re: Log4j mitigation Karl Auer (Dec 13)
- RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)
- Re: Log4j mitigation A Crisan (Dec 13)
- Re: Log4j mitigation Mike Hammett (Dec 13)
- Re: Log4j mitigation Karl Auer (Dec 13)
- Re: Log4j mitigation Andy Ringsmuth (Dec 13)
- Re: Log4j mitigation Doug McIntyre (Dec 14)
- Re: Log4j mitigation Tyler Conrad (Dec 14)
- Re: Log4j mitigation Owen DeLong via NANOG (Dec 14)
- Re: Log4j mitigation Owen DeLong via NANOG (Dec 15)